Download - New approaches to vulnerability management
![Page 1: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/1.jpg)
New Approaches to Vulnerability Management
Todd Graham
Director, Risk & Compliance
RSA
![Page 2: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/2.jpg)
What is Vulnerability Management
• The definition thus far[1]:
“Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. This practice generally refers to software vulnerabilities in computing systems.”
“Host and infrastructure vulnerabilities can often be addressed by applying patches or changing configuration settings. Custom software or application-based vulnerabilities often require additional software development in order to fully mitigate. Technologies such as web application firewalls can be used in the short term to shield systems, but to address the root cause, changes must be made to the underlying software.”
[1] Thank you Wikipedia
![Page 3: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/3.jpg)
Mega Changes Forcing Evolution
• Cloud– New area to audit and protect– Computing power available for good and evil
• Virtualization– The data center becomes homogeneous– Potential hypervisor-based vulnerabilities
• Attacker Motivation– Vulnerabilities exploited for financial gain
• “Enterprization” of Consumer– Web 2.0 technologies open up new threats to the enterprise
![Page 4: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/4.jpg)
Classic VM Program Steps
• Define Policy - Organizations must start out by determining what the desired security state for their environment is. This include determining desired device and service configurations and access control rules for users accessing resources.
• Baseline the Environment - Once a policy has been defined, the organization must assess the true security state of the environment and determine where instances of policy violations are occurring.
• Prioritize Vulnerabilities - Instances of policy violations are Vulnerability (computing). These vulnerabilities are then prioritized using risk and effort-based criteria. Shield - In the short term, the organization can take steps to minimize the damage that could be caused by the vulnerability by creating compensating controls.
• Mitigate Vulnerabilities - Ultimately, the root causes of vulnerabilities must be addressed. This is often done via patching vulnerable services, changing vulnerable configurations or making application updates to remove vulnerable code.
• Maintain and Monitor - Organizations' computing environments are dynamic and evolve over time, as do security policy requirements. In addition, additional security vulnerabilities are always being identified. For this reason, vulnerability management is an ongoing process rather than a point-in-time event. Gartner: Improve IT Security With Vulnerability Management
![Page 5: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/5.jpg)
Technology Surfaces
• Network & Host– Scan network to discover assets
– Determine asset type, version, and configuration
– Compare current device state to known vulnerabilities
• Application– Profile applications to determine risky behavior or insecure
programming techniques
– Part of SDLC and Vendor Management Programs
• Configuration Management– Adjacent to traditional VM
– Focused on managing configuration to mitigate threats
![Page 6: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/6.jpg)
What’s Next
Thesis:
The next generation of vulnerability management will come from the integration and correlation of disparate data sources, many of which already exist in the enterprise.
We need to intelligently connect the dots (SIEM, DLP, App Scanners, File and DB Access Monitoring…).
![Page 7: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/7.jpg)
Creative Zero Day Detection
• Leverage your SIEM to detect and correlate abnormal behaviors
![Page 8: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/8.jpg)
3 Step Process – Step 1
1. Collect and normalize information from VA scanners and asset inventory tracking systems– View and manage the asset details across the entire enterprise
Event ID
Asset ID
Threat Desc
Event ID
Asset ID
SIG ID
Event ID
Asset ID
VUL IDREFsIDS
MSG
NIC
VULNERABILITY
DATABASE
VULNERABILTY
DEFINITION
SOURCE
A
VULNERABILTY
DEFINITION
SOURCE
B
VULNERABILTY
DEFINITION
SOURCE
C
WWW...
NIC
IDS MSG
GRAMMARS
(EVENT IDs)
PARSE MAP
SIGs
VUL ID
Vulnerabilty Desc
ACQUIRE
VUL ID
Asset Predicates
Severity
PARSE
NORMALIZEBUILD &
DISTRIBUTE
DETAIL
PARSE
+
ASSIGN
SIG
NIC
NORMALIZED
ASSET
PREDICATES
BUILD &
MAINTAIN
FREQUENT
SIGNATURE
UPDATES
FREQUENT
VULNERABILITY
UPDATES
IDS/IPS
Device
Vulnerability
Assesment
Tool
VA
ReportVA
ReportVA
Report
Asset ID
Structured Desc
PARSEAsset ID
Asset Predicate
Flags
ENCODE
PRODUCTION
ASSET PREDICATE
FLAGS
LOAD
PERIODICALLY
REFRESHED
IDS
Vendors
SIG
UPDATE
SIG ID
VUL IDREFs
MAP
SIGNATUREs to
VUL IDs
BUILD &
DISTRIBUTE
VUL ID
Structured Desc
FREQUENT
SIGNATURE
UPDATES
V3.5
![Page 9: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/9.jpg)
3 Step Process – Step 2
2. Embedded Vulnerability Repository• Database of vulnerabilities from NVD
• Description, impact, cross-reference meta-data, affected products, vendors, versions, protocols, network service
Event ID
Asset ID
Threat Desc
Event ID
Asset ID
SIG ID
Event ID
Asset ID
VUL IDREFsIDS
MSG
NIC
VULNERABILITY
DATABASE
VULNERABILTY
DEFINITION
SOURCE
A
VULNERABILTY
DEFINITION
SOURCE
B
VULNERABILTY
DEFINITION
SOURCE
C
WWW...
NIC
IDS MSG
GRAMMARS
(EVENT IDs)
PARSE MAP
SIGs
VUL ID
Vulnerabilty Desc
ACQUIRE
VUL ID
Asset Predicates
Severity
PARSE
NORMALIZEBUILD &
DISTRIBUTE
DETAIL
PARSE
+
ASSIGN
SIG
NIC
NORMALIZED
ASSET
PREDICATES
BUILD &
MAINTAIN
FREQUENT
SIGNATURE
UPDATES
FREQUENT
VULNERABILITY
UPDATES
IDS/IPS
Device
Vulnerability
Assesment
Tool
VA
ReportVA
ReportVA
Report
Asset ID
Structured Desc
PARSEAsset ID
Asset Predicate
Flags
ENCODE
PRODUCTION
ASSET PREDICATE
FLAGS
LOAD
PERIODICALLY
REFRESHED
IDS
Vendors
SIG
UPDATE
SIG ID
VUL IDREFs
MAP
SIGNATUREs to
VUL IDs
BUILD &
DISTRIBUTE
VUL ID
Structured Desc
FREQUENT
SIGNATURE
UPDATES
V3.5
![Page 10: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/10.jpg)
3 Step Process – Step 3
3. Automatically relate security events to asset attributes via the vulnerability repository– Assign a confidence to the impact an incident will have upon the target
Event ID
Asset ID
Threat Desc
Event ID
Asset ID
SIG ID
Event ID
Asset ID
VUL IDREFsIDS
MSG
NIC
VULNERABILITY
DATABASE
VULNERABILTY
DEFINITION
SOURCE
A
VULNERABILTY
DEFINITION
SOURCE
B
VULNERABILTY
DEFINITION
SOURCE
C
WWW...
NIC
IDS MSG
GRAMMARS
(EVENT IDs)
PARSE MAP
SIGs
VUL ID
Vulnerabilty Desc
ACQUIRE
VUL ID
Asset Predicates
Severity
PARSE
NORMALIZEBUILD &
DISTRIBUTE
DETAIL
PARSE
+
ASSIGN
SIG
NIC
NORMALIZED
ASSET
PREDICATES
BUILD &
MAINTAIN
FREQUENT
SIGNATURE
UPDATES
FREQUENT
VULNERABILITY
UPDATES
IDS/IPS
Device
Vulnerability
Assesment
Tool
VA
ReportVA
ReportVA
Report
Asset ID
Structured Desc
PARSEAsset ID
Asset Predicate
Flags
ENCODE
PRODUCTION
ASSET PREDICATE
FLAGS
LOAD
PERIODICALLY
REFRESHED
IDS
Vendors
SIG
UPDATE
SIG ID
VUL IDREFs
MAP
SIGNATUREs to
VUL IDs
BUILD &
DISTRIBUTE
VUL ID
Structured Desc
FREQUENT
SIGNATURE
UPDATES
V3.5
![Page 11: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/11.jpg)
The New Threat Surface: Customers
• Enterprises are beginning to view their customers and partners as threat sources
• Must identify threats against their customers (phishing, etc.) and work to mitigate
• Customer wanted toview VA scans next to anti-phishing
![Page 12: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/12.jpg)
Bringing It All Together:Case Study Overview
• A global internet, mobility and communications company built a best-in-class Threat Management Program by:– Consolidating Security and Asset Information– Creating correlations to generate actionable intelligence– Providing key-stakeholders with information and vision of their risk– Building a repetitive process for effective and efficient Threat
Management
• Company Facts:– Fortune Ranking: ~60– 2006 Revenue: $54.29b– Number of Employees: 68,483
![Page 13: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/13.jpg)
Challenges• Information Silos – Difficult to correlate
security data to determine actual risk.
• Global Segmentation – Impossible to correlate data from third party and company managed assets.
• Ownership of Risk – Difficult for executives to determine which vulnerabilities affect their Products and Services.
• Lack of Visibility – Lack of reporting prevented executives from making intelligent decisions about acceptable risk to their business.
VASys
Mgm
t
VA’
Threat
Feed
![Page 14: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/14.jpg)
Goals• Effective Threat Management – Manage
Threats from a Product and Services perspective.
• Information Consolidation – Turn disparate silos of information into actionable knowledge.
• Information Correlation – Correlate threat and asset data across multiple business units and geographies.
• Delivery – Enable executives to release their Products and Services faster to market.
• Ownership – Empower executives to effectively manage risks to their business through an enterprise security view of their business.
VASys
Mgm
t
VA’Threat
Feed
![Page 15: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/15.jpg)
Threat Management Strategy
Analyze &
Prioritize
Notify Personnel Remediation
Tasks
VA
VA’
Threat
Feed
![Page 16: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/16.jpg)
Threat Management Reporting
Enterprise Reporting
Analyze &
Prioritize
Notify Personnel Remediation
Tasks
VA
VA’
Threat
Feed
![Page 17: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/17.jpg)
A Best-in-Class Threat Management Program
• Consolidate Asset Data
• Consolidate Threat Data
• Manage your Risk Posture
• Monitor your Business Security and Risk Mitigation efforts
Assets
Threats
Risks
Reports
1
2
3
4
![Page 18: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/18.jpg)
Consolidating Asset Information
Asset Discovery
Asset
Inventory
Asset Management
Consolidated Database
Asset
Integration
Sensors Sensors
1
![Page 19: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/19.jpg)
What is an Asset?
Products and
Services
Business
Processes
Applications
Devices
Facilities
1
![Page 20: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/20.jpg)
Device: Application Server Details1
![Page 21: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/21.jpg)
Consolidating Threat Data
• Threat Alerts
– Known vulnerabilities
– Patches
– CVE
– Bugtrack ID
• Vulnerability Scan
– Host IP address
– Vulnerabilities Found
– CVE
• Configuration Scan
– Hostname
– Registry Information
– Users
– Installed Applications
– Risks
2
![Page 22: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/22.jpg)
Vulnerability: Details Overview2
![Page 23: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/23.jpg)
Turning Threat Data into Intelligence
Scan ID CVE-ID
90423CVE-2007-0069
CVE-2007-0066
90420 CVE-2007-5350
90418 CVE-2007-0064
Alert ID CVE-ID
466355 CVE-2007-5350
466938 CVE-2007-0069
466951 CVE-2007-0066
Host Name IP Address
DBSERV001 192.168.1.101
APPSERV002 192.168.1.100
Host Name IP Address
APPSERV002 192.168.1.100
DBSERV001 192.168.1.101
Scan ResultsAsset Data
Threat Alerts
3
![Page 24: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/24.jpg)
Map Alerts and Assets to Scan Results
Map Scan Results to
Alerts using CVE-ID
Identify
Vulnerability
Alerts associated
to Scan Results
3
![Page 25: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/25.jpg)
Manage and Track Remediation Progress
Document Remediation
Activity
Assign and Delegate
Tasks to responsible
personnel
Track Activity History
3
![Page 26: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/26.jpg)
Reports: Enterprise Security Posture
• Provides users with a single interface for IT Security information at any level for Threat Management
• Presents relevant security information in an understandable format customized for differing environments
• Enables users to understand what actions should be taken to reduce risk and/or improve configuration compliance Asset
4
![Page 27: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/27.jpg)
Additional Data Sources
AV
Auth
WAF DLP
ADWLAN
EP
URL
FW
IPS
Data Enhancement
Event A
ggre
gation
Locatio
nId
entity
Div
isio
nD
epartm
ent
Data
Asset V
alu
e
Ge
o In
foR
egula
tion
CIR
T
SOC
GIS
Th
rea
ts
Incid
en
ts
GR
C
UI
HR
Legal
Eng.Business
Reporting
SIEM
![Page 28: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/28.jpg)
Emerging Vendors to Watch
• NeuralIQ– Next-generation honey pot
– Virtual machine-based clones of production systems capture all attacker behavior from the hypervisor
• HBGary– Technologies to analyze malware, fingerprinting the
‘DNA’ at the memory and execution-level
– Has proactive capabilities to prevent execution of identified “risky” behavior
![Page 29: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/29.jpg)
Emerging Vendors to Watch ‘cont
• Checkmarx– Static Application Security Testing (SAST) company
– Compiles all scanned code into common framework for future testing
• Mykonos– Web 2.0 AJAX framework
– Ensures that Javascript code on end-user systems is not compromised
– Built-in security for AJAX calls and functions
![Page 30: New approaches to vulnerability management](https://reader034.vdocument.in/reader034/viewer/2022042713/546d269daf795953298b5177/html5/thumbnails/30.jpg)
A Parting Thought
“Security is always going to be a cat andmouse game because there'll be people outthere that are hunting for the zero day award,you have people that don't have configurationmanagement, don't have vulnerabilitymanagement, don't have patch management.”
-Kevin Mitnick